CVE-2026-8140 Concrete CMS CVE debrief

Who should care

Concrete CMS administrators and security teams should care most, especially sites that use the Concrete marketplace and have users who can install packages. Any environment that relies on browser-based admin sessions is exposed to CSRF risk when state-changing actions do not enforce token checks.

Technical summary

The vulnerability is identified as CWE-352 (CSRF). The NVD record describes a GET-based, state-changing download() path in concrete/controllers/single_page/dashboard/extend/install.php that checks authorization but not CSRF protection. Because the endpoint can be triggered through an authenticated administrator's browser session, an attacker who can induce a visit to a malicious page may force the server to retrieve a marketplace package and store it under DIR_PACKAGES. The supplied vector is CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, with a vendor-assigned score of 7.5 (High).

Defensive priority

High. This is an authenticated-browser CSRF issue in an administrative path that can alter server-side package state. Even though exploitation requires user interaction and specific permissions, the impact is substantial enough to justify prompt review and remediation.

Recommended defensive actions

• Update Concrete CMS to the vendor-fixed release referenced in the official release notes linked from the CVE record.
• Verify that package-install and marketplace-related admin actions enforce CSRF token validation in addition to permission checks.
• Review any customizations or overrides around /dashboard/extend/install/download/<remoteId> and related admin routes for missing token enforcement.
• Limit who has canInstallPackages() permission to the smallest practical set of trusted administrators.
• Monitor administrative activity for unexpected package downloads or package changes, especially in environments connected to the Concrete marketplace.
• Follow the official Concrete CMS release notes and CVE/NVD entries for remediation guidance and confirmation of the fixed version.

Evidence notes

Supplied source data identifies CVE-2026-8140 as published on 2026-05-21 with the same modified timestamp. The description states Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>, that canInstallPackages() is checked, and that the marketplace must be connected for the issue to be reachable. The NVD metadata classifies the weakness as CWE-352 and assigns CVSS v4.0 vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. NVD also links an official Concrete CMS release notes page; however, the supplied corpus does not confirm the exact fixed version. The vendor metadata in the source item is low confidence, so product identification should be grounded in the CVE description and official Concrete CMS reference.

Official resources